Gauss - cyber weapon malware

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Gauss - cyber weapon malware

Post by Pigeon » Thu Mar 14, 2013 11:13 pm


When Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they're finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that's more destructive than anything the world has seen before.

Gauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran's nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans.

Gauss contains module names paying homage to the German mathematicians and scientists Johann Carl Friedrich Gauss, Kurt Friedrich Gödel, and Joseph-Louis Lagrange. Its noteworthy features only start there. Gauss has the ability to steal funds and monitor data from clients of several Lebanese banks, making it the first publicly known nation-state sponsored banking trojan. It's also programmed to collect a dizzying array of information about the computers it infects—including its network connections, processes and folders, BIOS, CMOS, RAM, and both local and removable drives.

But the most intriguing characteristic of Gauss is an encrypted payload that has so far remained undeciphered, despite the best efforts of cryptographers who have already tried millions of possible keys. Tucked deep inside the Gödel module, the secret warhead is loaded onto USB sticks and removable drives when they're connected to Gauss-infected machines. When the drives are plugged into an uninfected computer later, the mysterious code is executed—but only if it encounters the specific machine or machines targeted by the Gauss developers. On every other computer, the module remains cloaked in an impenetrable envelope that prevents researchers and would-be copycats from reverse engineering the code. The extreme stealth has stoked speculation that the payload may contain a potent exploit that could rival the Stuxnet attack that was bent on destroying uranium centrifuges inside Iran's high-security Natanz enrichment facility. Certainly not your everyday malware.

"Considering the link with Flame and Stuxnet, the payload of Gauss must be of similar magnitude," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Given how careful the attackers were to make sure the Gauss payload doesn't fall into the 'wrong' hands, we can assume it is very special."

More


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Gauss - cyber weapon malware

Post by Pigeon » Fri Mar 15, 2013 1:02 am


Gauss developers implemented this advanced concept using a surprisingly unsophisticated set of tools. That set includes the relatively archaic RC4 cipher to encrypt three sections of the Gödel module and the cryptographically weak MD5 algorithm to generate the key. Gauss developers likely chose the outdated design because it worked reliably across a broad range of Windows computers thanks to the Microsoft CryptoAPI. Keys unlocking the Gödel payload are generated dynamically based on the settings of one or more computers that were specifically targeted by the attackers. Only the machine or machines containing a specific set of programs and directories will generate the key. To confound people trying to crack the code—and to considerably slow the speed at which they work—Gauss MD5 hashes the configuration data 10,000 times and uses the final output as the key that unlocks the encrypted code.

Specifically, Gauss enumerates the first entry of an infected computer's path environment, which specifies the Windows directories where executable files can be called without specifying their precise location. Gauss then combines that PATH location with the name of the first directory found in the infected computer's Windows Program Files folder. It takes this string and appends a 16-byte hard-coded cryptographic salt value to it and then hashes the new string 10,000 times. It compares the final hash against a hard-coded verification block. If the hash doesn't pass the verification check, Gauss starts the process all over again, this time appending the second entry of the path to the first Program Files folder. The process is repeated until each entry in the path has been appended to each entry in the Program Files.

If a hash value passes the verification check, Gauss has located the mysterious PATH and program file that the Gödel module was programmed to find. It then takes that string, appends a new salt value to it, and hashes it 10,000 times. The resulting hash is the RC4 key used to decrypt one of the three encrypted Gödel sections. If the decrypted block passes an additional verification check, Gauss takes the same path and program files string, then appends a different hard-coded salt to decrypt sections two and three.


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Gauss - cyber weapon malware

Post by Pigeon » Fri Mar 15, 2013 1:07 am

The encrypted payload in the Gödel module is by no means the only mystery surrounding Gauss. Researchers still don't know how the malware takes hold of target computers in the first place or how it spreads from one machine to another. They're also at a loss to explain why Gauss installs a custom font known as "Palida Narrow" and corresponding registry values on infected machines. Analysts have speculated that the font may be used to steganographically fingerprint the author of certain printed materials. Under alternate theories, Palida Narrow, which appears to contain valid Western, Baltic, and Turkish symbols, may provide a simple means for websites to identify infected machines, or even open a font-based vulnerability to exploit.

Also unexplained is the Round Robin DNS load balancing technique deployed by control servers used to ferry traffic to and from Gauss-infected machines. The setup suggests that the command servers handled massive amounts of traffic, and yet so far, Kaspersky researchers have been able to find just 2,500 computers infected by the malware. The effort Gauss architects expended setting up the load-balancing system indicates that the true number of affected machines could be in the tens of thousands.


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Gauss - cyber weapon malware

Post by Pigeon » Fri Mar 15, 2013 4:21 pm

Ah, Godel...

Strange loops might the rule, not the exception.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Gauss - cyber weapon malware

Post by Pigeon » Sun Mar 17, 2013 5:51 pm

Here is a PDF on Gauss from Kaspersky Labs

More Gauss info from Kaspersky

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Gauss - cyber weapon malware

Post by Pigeon » Sun Mar 17, 2013 6:12 pm

Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga.

It was probably created in mid-2011 and deployed for the first time in August-September 2011.

Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame. The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the overall objective of global cyber-peace.

In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.

Just like Duqu was based on the “Tilded” platform on which Stuxnet was developed, Gauss is based on the “Flame” platform. It shares some functionalities with Flame, such as the USB infection subroutines.

What is Gauss? Where does the name come from?

Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins. The currently known plugins perform the following functions:
  • Intercept browser cookies and passwords.
  • Harvest and send system configuration data to attackers.
  • Infect USB sticks with a data stealing module.
  • List the content of the system drives and folders
  • Steal credentials for various banking systems in the Middle East.
  • Hijack account information for social network, email and IM accounts.
In addition, the authors forgot to remove debugging information from some of the Gauss samples, which contain the paths where the project resides.

The paths are:

Variant Path to project files
August 2011 d:\projects\gauss
October 2011 d:\projects\gauss_for_macis_2
Dec 2011-Jan 2012 c:\documents and settings\flamer\desktop\gauss_white_1

One immediately notices “projects\gauss”.

In regards to the “white” part - we believe this is a reference to Lebanon, the country with the most Gauss infections. According to Wikipedia, “The name Lebanon comes from the Semitic root LBN, meaning "white", likely a reference to the snow-capped Mount Lebanon.” http://en.wikipedia.org/wiki/Lebanon#Etymology

Image

Link


User avatar
Dr Exile
Posts: 2349
Joined: Tue Apr 05, 2011 5:37 pm
Location: Skellig Michael

Re: Gauss - cyber weapon malware

Post by Dr Exile » Mon Mar 18, 2013 3:03 am

Is this what took down Amkon? Joint seems to have evaporated.
Credo quia absurdum.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Gauss - cyber weapon malware

Post by Pigeon » Mon Mar 18, 2013 3:17 am

Nope. ISP shut it down because it got DOS'ed three times.

Currently in a lack of skilled workers while being moved / restarted.

User avatar
Dr Exile
Posts: 2349
Joined: Tue Apr 05, 2011 5:37 pm
Location: Skellig Michael

Re: Gauss - cyber weapon malware

Post by Dr Exile » Mon Mar 18, 2013 3:28 am

what is "DOS'ed" mean?
Credo quia absurdum.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: Gauss - cyber weapon malware

Post by Pigeon » Mon Mar 18, 2013 3:41 am

Denial of service. Send huge volume of packets to server to slow it down and keep it very busy.

Post Reply